Kevin Vasko via FreeIPA-users wrote: > Hello, > > Does anyone have any tips for completely refreshing (forcing cleaning) > all kerberos tickets on a client from FreeIPA? > > I assumed "$ kdestroy -A" should do it, but it certainly doesn't > completely clear all caches. > > What I'm having trouble with is some NFS/NAS servers using kerberos. > I'll set up a new NFS server with Kerberos, the server will have their > appropriate keytab and services created. > > I'll make sure and clear my local cache on my client with "$ kdestroy > -A", and then connect to the NFS server. If for some reason I have > something misconfigured (e.g. time is off) I'll obviously get a "stale > file handle" or "mount.nfs4: access denied by server". At that point > I'll correct the issue on the server/client. However, I'll continue > getting the error even though I destroy the cache. I _know_ its a cache > issue _somewhere_ because it will randomly start working (e.g. it will > be failing, leave for the day and next morning it will mount no problem) > OR I'll try it on a different client and it will mount successfully. It > seems so sporadic. I've even been in the situation where I've > purposefully removed keytabs, LDAP login access and reset the cache on > the client on systems the and NFS mount has still worked. It will > continue to work when it shouldn't as I've removed keytab or > authentications so obviously something is cached. > > Is there a foolproof list of things I need to do to reset the cache(es)? > kdestroy, services on client and server? Is there a potential force 15 > min TTL or something somewhere I'm missing?
It is probably gssproxy holding the credentials. See https://pagure.io/gssproxy/blob/master/f/docs/NFS.md rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
